Spotting and Reporting Phising Attacks
A phishing incident is a type of social engineering attack that involves a cyber-criminal using scam emails, text messages or phone calls to deceive a victim. Phishing attacks exploit people, aiming to trick individuals into doing the wrong thing, such as clicking a suspicious link that downloads malware or steals personal information. Despite a high level of scam awareness, people still frequently fall victim to phishing incidents. According to the Department for Digital, Culture, Media & Sport, 83% of cyber-security breaches in 2021 stemmed from phishing attacks. As such, it’s essential for your organisation to remain vigilant.
A well-trained workforce is the first line of defence against phishing attacks. It’s vital that employees don’t make themselves an easy target. Remind staff to be careful when sharing personal and company information online, as cyber-criminals can use this information to tailor an attack. Consider creating a digital footprint policy describing what staff can and can’t disclose online. Additionally, train staff to spot and report phishing attacks by looking out for the following ‘red flags’:
- Urgency—Messages that ask for immediate responses are often scams designed to pressurise recipients into making quick decisions before fully analysing the facts.
- Emotion—Cyber-criminals regularly make false claims of support or use threatening language to instil fear into recipients
- Scarcity—Some scam messages try to lure victims by offering things in short supply (eg deals on expensive goods or services).
- Current events—Cyber-criminals may exploit big events or current news stories to make their scams seem more relevant.
- Authority—Scammers might claim to be someone official (eg a bank or government worker). Therefore, it’s important to carefully check the sender’s details on all messages received. Often, a scam message will be sent from a public email domain rather than an official business address. If in doubt, it’s best to cross-reference the sender’s details against those displayed on the official company website.
No matter how rigorous your phishing training is, employees may still occasionally fall victim to these attacks. Remind staff to immediately report suspicious emails and messages to the IT department. Additionally, adopt a multilayered approach to phishing defences. Organisational measures should include implementing email filtering and blocking mechanisms, utilising two-factor authentication and making sure only supported software and devices are in use.
For more information on phishing attack prevention, contact one of our risks professionals today.